CVE-2024-5141 is a stored Cross-Site Scripting (XSS) vulnerability identified in the mpntod Rotating Tweets WordPress plugin, which provides a Twitter widget and shortcode functionality. The vulnerability exists due to insufficient sanitization and escaping of user-supplied input in the 'rotatingtweets' attribute, allowing malicious scripts to be stored persistently in the website's content. Authenticated users with contributor-level permissions or higher can exploit this flaw by injecting arbitrary JavaScript code into pages or posts. When other users access these pages, the injected scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions on their behalf. The vulnerability affects all versions up to and including 1.9.10 of the plugin. The CVSS 3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, and privileges required but no user interaction needed. The scope is changed, indicating that the vulnerability affects components beyond the initially vulnerable plugin, potentially impacting the entire WordPress site. No patches or fixes are currently linked, and no known exploits have been observed in the wild as of the publication date. This vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is the compromise of confidentiality and integrity of user sessions and data on affected WordPress sites. Attackers with contributor-level access can inject malicious scripts that execute in the context of other users, including administrators, potentially leading to session hijacking, privilege escalation, defacement, or distribution of malware. This can damage the reputation of affected organizations, lead to data breaches, and disrupt normal website operations. Since WordPress powers a significant portion of the web, sites using this plugin are at risk, especially those with multiple contributors or editors. The vulnerability does not directly impact availability but can indirectly cause downtime or loss of user trust. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the low complexity and lack of user interaction make it a viable attack vector in many environments.

Organizations should immediately audit their WordPress installations to identify the presence of the Rotating Tweets plugin and verify the version in use. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to eliminate the attack surface. Restrict contributor-level permissions to trusted users only and monitor for suspicious activity or unauthorized content changes. Implement Web Application Firewalls (WAFs) with rules to detect and block common XSS payloads targeting the plugin's input fields. Employ Content Security Policy (CSP) headers to reduce the impact of injected scripts. Regularly review and sanitize user-generated content before publishing. Additionally, maintain strict access controls and enforce multi-factor authentication to reduce the risk of account compromise. Once a patch is available, apply it promptly and test the site for residual vulnerabilities.